I seem to not be getting the intended behavior from a NAT box. What I was
hoping is to limit services to the firewall after allowing a few ports in
(ftp, ssh, http, https, etc). But when I use the following rules, I do not
get RST's when connecting to $wlan_if on any other port (i.e. 54199, etc).
The logs show the connection attempt as being blocked, but the
connecting-host has to wait for the connection to time-out.
Any help is appreciated; I'm running 3.6-CURRENT. Thanks.
######################################################################################
#; Variables
######################################################################################
loopbk = "lo0"
ext_if = "de0"
wlan_if = "fxp0"
ipsec_if = "enc0"
donald = "10.116.131.13"
daisy = "10.116.131.14"
cirque = "10.116.131.15"
broadcast = "255.255.255.255"
ps2 = "10.116.131.27"
ap = "10.116.131.31"
lp = "10.116.131.94"
cp = "10.116.131.97"
edp = "{" $cirque "}"
jap = "{" $daisy "}"
tcp_wlanif = "{ ftp, ssh, http, https }"
ps2_wlanif = "{ ftp, http, https }"
table <dpu> persist { x.4.180, x.4.81.181, \
x.4.81.182, x.4.21.128/29 }
table <nxious> persist { y.42.42.14, x.4.16.40 }
table <olt> persist { 110.3.43.1, 110.52.36.84 }
table <bogon> persist file "/etc/bogon.txt"
aspf = "antispoof log"
bi = "block in"
bo = "block out"
bil = "block in log"
biq = "block in quick"
bol = "block out log"
boq = "block out quick"
bilq = "block in log quick"
bolq = "block out log quick"
blk = "block"
pqk = "pass quick"
pi = "pass in"
po = "pass out"
pil = "pass in log"
piq = "pass in quick"
pol = "pass out log"
poq = "pass out quick"
pilq = "pass in log quick"
polq = "pass out log quick"
ks = "keep state"
ms = "modulate state"
ss = "synproxy state"
######################################################################################
#; Set logging of stats on the given interface.
######################################################################################
set loginterface $ext_if
set timeout { interval 10, frag 27 }
set limit { frags 45000, states 35000 }
set optimization aggressive
set block-policy return
######################################################################################
#; NAT/RDR
######################################################################################
scrub out all no-df random-id max-mss 1440
scrub in all no-df fragment reassemble min-ttl 3
nat on $ext_if from $wlan_if:network to any -> ($ext_if)
rdr on $wlan_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
######################################################################################
#; Rules
######################################################################################
block return log all label
"$nr:$if-block-log"
$pqk on lo0 all label "$nr:$if-pass"
$bilq on $ext_if from <bogon> to any label "$nr:$if-bogon"
$bilq on $wlan_if from { <bogon>, !$wlan_if:network } to any label
"$nr:$if-bogon"
$biq on $ext_if from any to $broadcast label
"$nr:$if-broadcast"
$poq inet proto tcp all flags S/SA label "$nr:$if-pass-synack-out" $ms
$poq inet proto tcp all label "$nr:$if-pass-tcp-out" $ks
$poq inet proto udp all label "$nr:$if-pass-udp-out" $ks
$poq inet proto icmp all label "$nr:$if-pass-icmp-out" $ks
$poq all label "$nr:$if-pass-ip-out"
### Allowed from local network to wlan_if
$piq on $wlan_if inet proto tcp \
from $edp to $wlan_if port $tcp_wlanif label "$nr:$if-edp-$dstport-in" $ms
$piq on $wlan_if inet proto tcp \
from $jap to $wlan_if port $tcp_wlanif label "$nr:$if-jap-$dstport-in" $ms
$piq on $wlan_if inet proto tcp \
from $ps2 to $wlan_if port $ps2_wlanif label "$nr:$if-ps2-$dstport-in" $ms
$poq on $wlan_if inet proto tcp \
from $wlan_if to $edp port $tcp_wlanif label "$nr:$if-edp-$dstport-out" $ms
$piq on $wlan_if inet proto udp \
from any to any port bootps label "$nr:$if-bootps-in" $ks
$piq on $wlan_if inet proto udp \
from $wlan_if:network to $wlan_if port domain label "$nr:$if-domain-udp-in"
$ks
$piq on $wlan_if inet proto tcp \
from $wlan_if:network to $wlan_if port domain label "$nr:$if-domain-tcp-in"
$ms
$piq on $wlan_if inet proto udp \
from $wlan_if:network to $wlan_if port ntp label "$nr:$if-ntp-in"
$ks
block return in log quick on $wlan_if inet proto { tcp, udp } \
from $wlan_if:network to $wlan_if label "$nr:$if-block-in"
$bilq on $wlan_if from $wlan_if:network to $wlan_if label
"$nr:$if-block-in"
$polq on $wlan_if inet proto icmp \
from $wlan_if:network to $ap icmp-type echoreq label
"$nr:$if-accesspoint-icmp-out" $ks
$polq on $wlan_if inet proto tcp \
from $wlan_if:network to $ap port http label
"$nr:$if-accesspoint-http-out" $ks
$piq on $wlan_if inet proto tcp \
from $wlan_if:network to any label "$nr:$if-wlan-tcp-$dstport-in" $ms
$piq on $wlan_if inet proto udp \
from $wlan_if:network to any label "$nr:$if-wlan-udp-$dstport-in" $ks
$piq on $wlan_if inet proto icmp \
from $wlan_if:network to any label "$nr:$if-wlan-icmp-in" $ks
$piq on $wlan_if from $wlan_if:network to any label "$nr:$if-ip-in"
$pilq on { $wlan_if, $ext_if } inet proto icmp all \
icmp-type echoreq label "$nr:$if-icmp-echo" $ks
$polq on $wlan_if inet proto icmp \
from $wlan_if to $wlan_if:network icmp-type echoreq label "$nr:$if-icmp-echo"
$ks
$pi on $ext_if inet proto tcp from <nxious> to $ext_if \
port ssh label "$nr:$if-nxious-ssh-in" $ms
$pi on $ext_if inet proto tcp from <dpu> to $ext_if \
port ssh label "$nr:$if-dpu-ssh-in" $ms
$pil on $ext_if inet proto tcp from <olt> to $ext_if \
port ssh label "$nr:$if-olt-ssh-in" $ms
$piq on $ext_if inet proto tcp \
from port 20 to ($ext_if) user proxy flags S/SA label "$nr:$if-ftp-proxy" $ks
